Policy design for enterprise customers

This article shows you how to design a set of policies that enable your company, a hypothetical enterprise customer named EnterpriseExampleOrganization, to use Google Cloud Platform (GCP).

Enterprise customers typically have a long history of operation that shapes their organizational structure and internal policies. By adding multiple legal entities through acquisition, mergers, or natural market growth, these customers have developed a sophisticated and complex organizational structure, with many employees. In such a complex environment, it is critical to establish centralized control, compliance, and separation of responsibilities.

Often, the processes and tools used to manage on-premises assets must be extended to include cloud resources. This article shows you how to design policies that enable EnterpriseExampleOrganization to use GCP in a way that meets the following requirements:

  • Retain an on-premises identity system for all EnterpriseExampleOrganization users.
  • Restrict access to resources to members of EnterpriseExampleOrganization.
  • Delegate administration to teams or departments so they can manage provisioned GCP resources.
  • Distribute cross-charging across teams and the products they develop.
  • Use a self-service tool to provision equipment and compute resource requests and enforce corporate controls. This tool must be extended to cover GCP resources.
  • Make procurement decisions through a central finance team.
  • Manage security and networking controls through a central team.
  • Monitor activity occurring in EnterpriseExampleOrganization's GCP account.
  • Permit developers to use only resources granted to them by the self-service tool.
  • Gate and initiate deployment from QA to production only by authorized deployment engineers.

Governance and visibility

The following sections walk through various GCP approaches EnterpriseExampleOrganization can use to meet the list of requirements.

Identity management

EnterpriseExampleOrganization requirement addressed:

  • Retain an on-premises identity system for all EnterpriseExampleOrganization users.

GCP uses Google Accounts for authentication and access management. As a prerequisite for granting EnterpriseExampleOrganization access to GCP resources, employees must have access to a Google identity. Because you will continue to use your identity system alongside GCP, you must set up a Cloud Identity account that allows EnterpriseExampleOrganization to synchronize with on-premises identities using Cloud Directory Sync. You also need to implement SAML SSO to ensure that authentication is managed by your identity system. For more details, refer to Authentication and identity and the following diagram.

enterprise policy structure

Cloud Directory Sync

By configuring a Cloud Identity and using Cloud Directory Sync, you can synchronize between your local identity system and the cloud. This gives you granular control over corporate users to whom you wish to grant direct access to GCP resources. These users are typically developers, data scientists, and operational staff.

Using SAML

GCP supports SAML 2.0 SSO where Google acts as the service provider (SP) and a third-party identifier acts as the identity provider. This ensures that authentication of the identity is delegated to the identity provider.

Organizational setup

EnterpriseExampleOrganization requirements addressed:

  • Restrict access to resources to members of EnterpriseExampleOrganization.
  • Delegate administration to teams or departments so they can manage provisioned GCP resources.
  • Distribute cross-charging across teams and the products they develop.

EnterpriseExampleOrganization requires central governance, so you need to implement the Organization resource. This gives EnterpriseExampleOrganization admins full visibility and control of company assets.

With an Organization resource in place, you can map your organization to the resource hierarchy. As part of this hierarchical organization, you can use Cloud Folders as containers for projects and other folders. Cloud Folders allow users to group projects under folders, enabling management at scale of resources and policies.

The following diagram shows an overview of this structure.

organizational setup

This structure parallels the department structure of an organization, or of subsidiaries under their parent company. EnterpriseExampleOrganization can also use folders to encapsulate all the projects and assets associated with a cost center, department, or application project.

Using Cloud Folders lets you administer access management policies at the folder level. All projects under that folder inherit this policy.

Organizational security controls

EnterpriseExampleOrganization requirements addressed:

  • Restrict access to resources to members of EnterpriseExampleOrganization.
  • Monitor activity occurring in EnterpriseExampleOrganization's GCP account.
  • Use a self-service tool to provision equipment and compute resource requests and to enforce corporate controls. This tool must be extended to cover GCP resources.
  • Manage security and networking tools through a central team.
  • Permit developers to use only resources granted to them by the self-service tool.
  • Gate and initiate deployment from QA to production only by authorized deployment engineers.

The Organization Policy service provides central, programmatic control over EnterpriseExampleOrganization's cloud resources. The service provides a simple mechanism for enforcing allowed configurations across your Cloud Resource hierarchy. In this context, policies refer to Organization policies, which let you control the organization-level configuration of cloud resources.

Organization policies provide the following benefits:

  • You can set policies per project, per folder, or per organization.
  • Policies are inherited down the resource hierarchy, and a policy administrator can override them at any level on which an organizational policy can be set.
  • The organization policy administrator, not the resource owner, manages policies. This means that individual users and project owners can't override organizational policies.

Resource control

You can implement organization policies to enforce what resources are available in a GCP trust boundary (folder, project, or other organizational level).

  • Cloud Identity and Access Management enables you to manage access control by defining who (identity) has what access (role) to which resource. You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements defining who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.
  • Resource Manager provides attach points and inheritance for access control and organization policies. Using the Resource Manager API lets you interact with the organization, folders, and projects.
  • In all cases, you need to think carefully about what access controls to put in place, who needs access, and where to apply the principle of least privilege.

Using Cloud Deployment Manager, you can automatically create projects with the appropriate resources and IAM policies. You can use the templates as part of a self-service system.

Functional roles

You need to map EnterpriseExampleOrganization's functional roles to appropriate Cloud IAM roles.

By using groups to manage your users, you can modify who can carry out a specific function. Adjusting the group membership negates the need to update the policy. Using EnterpriseExampleOrganization's terminology, name the groups to reflect the functional roles.

Because you will use the self-service tool to enable APIs and deploy Deployment Manager templates, you require service accounts that have appropriate permissions.

The following example Cloud IAM policies can help EnterpriseExampleOrganization meet their requirements:

Description of Cloud IAM policy Functionality
The resource level at which the policy is to be applied: Organization

Roles to grant: Billing Admin

Members to be bound: finance team
The Billing Admin role allows the finance team to manage payments and invoices without granting them the permission to view the project contents.
The resource level at which the policy is to be granted: Organization

Roles to grant: Billing User, Project.Creator

Members to be bound: service account used for automating project and object creation.
The Project.Creator role gives the service account used with the self-service tool the permissions to create a project, The Billing User role allows the service account to enable billing (associate projects with the organization's billing account for all projects in the organization).
The resource level at which the policy is to be applied: Organization

Roles to grant: Network Admin

Members to be bound: network admin team
The Network Admin role grants permission to create, modify, and delete networking resources. Granting this permission to the network admin team at the organization level means they can manage the network configuration for all projects in the organization.

Auditing

Cloud Audit Logs provides you with a view into recent audit logs. It records Admin Activity logs and Data Access logs generated by GCP services to help answer the question: "Who did what, where, and when?"

You can retain individual audit log entries for a specified length of time in Stackdriver, which offers a dashboard view of recent project activity. The Stackdriver logging quota policy explains how long log entries are retained, although you cannot otherwise delete or modify the audit logs or their entries. For longer retention, you can export audit log entries to a Cloud Storage bucket, a BigQuery dataset, a Cloud Pub/Sub topic, or any combination of the three.

Tracking and understanding spending

EnterpriseExampleOrganization requirements addressed:

  • Make procurement decisions through a central finance team.
  • Distribute cross-charging across teams and the products they develop.

A single billing account, implemented in conjunction with Cloud Resource Manager and billing features, can meet EnterpriseExampleOrganization's requirements. The billing features include:

  • Projects to organize resources. Cost is shown per project, and project IDs are included in the billing export.
  • Annotation of projects with labels that represent additional grouping information—for example, environment=test. Labels are included in the billing export to allow you to break down costs into more detail. Labels are subject to change, but they are still useful.
  • Encoding a cost center into the Project Name or ID to make it easier to track costs back to the cost center.
  • Exporting billing data directly to BigQuery to enable detailed analytics.

The following diagram illustrates a single billing account implemented in conjunction with Resource Manager.

billing structure

To centrally manage billing, you must grant the Billing Admin role to the billing account and bind this Cloud IAM role to the users on the finance team.

Organizational and identity management policy proposal

The following diagram shows the proposed EnterpriseExampleOrganization organizational policies.

organizational policy

In the preceding diagram, there are five key characteristics:

  1. Organization policy to enforce constraints and compliance.

  2. Folders for legal entities and departments cross charge.

  3. Projects for teams and apps.

  4. Using existing corporate identities through either identity sync or single sign on.

  5. Precreate groups to manage Cloud IAM permissions.

Network configuration and security controls

EnterpriseExampleOrganization requirements addressed:

  • Manage security and networking controls through a central team.

EnterpriseExampleOrganization has a central team that manages security and networking controls, and wants to maintain this model when using GCP. This team requires reliable and secure connections to GCP from their offices. Cloud Interconnect provides connections with higher availability or lower latency, or both, than they could get by using internet connections.

Shared VPC

Shared VPC lets you manage common network resources, such as VPC networks and subnets, from a central host project. Other projects can also access these resources. This setup and its Cloud IAM controls make it easier to administer the central network.

With Shared VPC, you can have a VPC network, such as a common private RFC 1918 IP space, that spans multiple projects. You can add instances from any project to this VPC network or its subnets. You can also attach a VPN to a single VPC network, which can be used by all or a subset of the projects.

Shared VPC offers the following features:

  • Allows for a set of centralized network admins separate from project admins.
  • Enables you to designate a group of admins to administer the shared VPC using Cloud IAM controls.
  • Makes it easy for you to create separate sets of admins. The admins for each GCP project can create and use instances on the VPC network.
  • Lets the network admin be part of a centralized team, while users across different EnterpriseExampleOrganization departments can share the VPC network or subnet.
  • Provides a way for you to centrally manage networking resources, for example, IP addresses and subnets.
  • Enables you to apply consistent policies and enforce them across the organization.
  • The network admin can define a set of common firewall rules, gateways, security policies, and NAT, once and apply them to all subnets. These policies don't need to be defined and maintained N times for each project.

Network security controls

EnterpriseExampleOrganization requirements addressed:

  • Permit developers to use only resources granted to them by the self-service tool.
  • Manage security and networking controls through a central team.
  • Gate and initiate deployment from QA to production only by authorized deployment engineers.

EnterpriseExampleOrganization wants to push build assets directly to their production environment from the test environments in a secure and scheduled way. The networking model described here addresses the requirement for appropriate security controls.

Organizational security controls were discussed in a previous section. These controls and the network-specific security controls work together to address the requirements identified in this section.

IAM network roles

To meet EnterpriseExampleOrganization's requirements, you must implement appropriate network and security Cloud IAM controls.

Functionality Description of Cloud IAM policies required
A central team manages networking and security controls. All projects share a single network.
  • Following best practices, set up a group that contains the identities of users who centrally manage networking and security. Use this group in the Cloud IAM policies needed to meet this requirement.
  • Using Shared VPC allows you to map centralized teams to manage network configurations.
  • Assign the Network Admin and the Shared VPC Admin (XPNAdmin) roles to the group at the organization level of the cloud resource hierarchy. In addition, granting the Security Admin role at the organization level to this admin group provides the permissions needed to manage firewall rules and SSL certificates.
Projects are created using a self-service tool This functionality requires a dedicated project in which the service account able to create projects exists.

The self-service tool uses this service account. Grant the service account the Billing User and Project Creator roles and set them at the organization level.

Separate teams can manage each service project, so you can separate development, testing, and production projects.

The following diagram shows the simplest model that meets EnterpriseExampleOrganization's central control requirements. The same team can manage the development and production VPC networks.

Architecture of central control requirements.

Firewall rules

Firewall rules manage traffic between source and target subnets and/or instances that are tagged or using specific service accounts. These rules provide the controls needed to ensure sufficient gates are in place between the development, testing, and production environments.

References

Requirement References
Identity management
Organizational setup
Billing
Networking and security controls

What's next

Was this page helpful? Let us know how we did:

Send feedback about...